feat(luks_ssh): Update with latest upstream changes
This includes a MOTD and some small adjustments for Fedora etc.
See a35fbc1ec4
This commit is contained in:
parent
db6f516bee
commit
20e150f453
GPG key ID:
67585F0065E261D5
6 changed files with 40 additions and 17 deletions
|
|
@ -12,10 +12,7 @@ check() {
|
|||
|
||||
# called by dracut
|
||||
depends() {
|
||||
# If systemd-networkd runs on the system, use it.
|
||||
if systemctl -q is-active systemd-networkd; then
|
||||
echo systemd-networkd
|
||||
fi
|
||||
return 0
|
||||
}
|
||||
|
||||
# called by dracut
|
||||
|
|
@ -40,6 +37,7 @@ install() {
|
|||
return 1
|
||||
fi
|
||||
|
||||
# Modified to match the ansible install path used in tasks/main.yml
|
||||
authorized_keys="${moddir}/authorized_keys"
|
||||
#if [ -e /root/.ssh/dracut_authorized_keys ]; then
|
||||
# authorized_keys=/root/.ssh/dracut_authorized_keys
|
||||
|
|
@ -66,22 +64,25 @@ install() {
|
|||
inst_simple "${moddir}/sshd.service" "$systemdsystemunitdir/sshd.service"
|
||||
inst_simple "${moddir}/sshd_config" /etc/ssh/sshd_config
|
||||
|
||||
grep '^sshd:' /etc/passwd >> "$initdir/etc/passwd"
|
||||
grep '^sshd:' /etc/group >> "$initdir/etc/group"
|
||||
{ grep '^sshd:' $dracutsysrootdir/etc/passwd || echo 'sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin'; } >> "$initdir/etc/passwd"
|
||||
{ grep '^sshd:' $dracutsysrootdir/etc/group || echo 'sshd:x:74:'; } >> "$initdir/etc/group"
|
||||
|
||||
# Create privilege seperation directory
|
||||
# /var/empty/sshd -> Fedora, CentOS, RHEL
|
||||
# /var/emtpy -> Arch, OpenSSH upstream
|
||||
# /var/lib/empty -> Suse
|
||||
# /run/sshd -> Debian
|
||||
# /var/chroot/ssh -> Void Linux
|
||||
# Create privilege separation directory
|
||||
# /var/empty/sshd -> Fedora, CentOS, RHEL
|
||||
# /usr/share/empty.sshd -> Fedora >= 34
|
||||
# /var/emtpy -> Arch, OpenSSH upstream
|
||||
# /var/lib/empty -> Suse
|
||||
# /var/chroot/ssh -> Void Linux
|
||||
local d
|
||||
for d in /var/empty/sshd /var/empty /var/lib/empty /run/sshd /var/chroot/ssh ; do
|
||||
for d in /var/empty/sshd /usr/share/empty.sshd /var/empty /var/lib/empty /var/chroot/ssh ; do
|
||||
if [ -d "$d" ]; then
|
||||
mkdir -p -m 0755 "$initdir$d"
|
||||
break
|
||||
fi
|
||||
done
|
||||
# workaround for Silverblue (in general for ostree based os)
|
||||
if grep ^OSTREE_VERSION= /etc/os-release > /dev/null; then
|
||||
mkdir -p -m 0755 "$initdir/var/empty/sshd"
|
||||
fi
|
||||
|
||||
systemctl -q --root "$initdir" enable sshd
|
||||
|
||||
|
|
@ -93,6 +94,8 @@ install() {
|
|||
mkdir -p -m 0755 "$initdir/var/log"
|
||||
touch "$initdir/var/log/lastlog"
|
||||
|
||||
inst_simple "${moddir}/motd" /etc/motd
|
||||
inst_simple "${moddir}/profile" /root/.profile
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
|
|
|
|||
8
roles/luks_ssh/files/motd
Normal file
8
roles/luks_ssh/files/motd
Normal file
|
|
@ -0,0 +1,8 @@
|
|||
Welcome to the early boot SSH environment. You may type
|
||||
|
||||
systemd-tty-ask-password-agent
|
||||
|
||||
(or press "arrow up") to unlock your disks.
|
||||
|
||||
This shell will terminate automatically a few seconds after the
|
||||
unlocking process has succeeded and when the boot proceeds.
|
||||
7
roles/luks_ssh/files/profile
Normal file
7
roles/luks_ssh/files/profile
Normal file
|
|
@ -0,0 +1,7 @@
|
|||
if [ -n "$SSH_TTY" ]; then
|
||||
export PS1='initramfs-ssh:${PWD}# '
|
||||
fi
|
||||
|
||||
if [ -n "$TERM" ]; then
|
||||
export TERM=vt220
|
||||
fi
|
||||
|
|
@ -28,5 +28,9 @@ KillMode=process
|
|||
Restart=on-failure
|
||||
RestartSec=42s
|
||||
|
||||
# Create privilege separation directory /run/sshd for Debian/Ubuntu
|
||||
RuntimeDirectory=sshd
|
||||
RuntimeDirectoryMode=0755
|
||||
|
||||
[Install]
|
||||
WantedBy=sysinit.target
|
||||
|
|
|
|||
|
|
@ -66,6 +66,8 @@
|
|||
become: true
|
||||
with_items:
|
||||
- "sshd.service"
|
||||
- "profile"
|
||||
- "motd"
|
||||
notify: Regenerate dracut
|
||||
|
||||
- name: Copy templated module files
|
||||
|
|
@ -129,7 +131,7 @@
|
|||
masked: true
|
||||
become: true
|
||||
when:
|
||||
- ansible_os_family == "RedHat" and not ansible_distribution == "Rocky"
|
||||
- ansible_os_family == "RedHat" and ansible_distribution == "CentOS"
|
||||
- luks_ssh_disable_state_import
|
||||
|
||||
- name: Disable import-state service, so that it doesn not overwrite ifcfg scripts.
|
||||
|
|
|
|||
|
|
@ -4,7 +4,6 @@ AuthorizedKeysFile .ssh/authorized_keys
|
|||
AuthenticationMethods publickey
|
||||
UsePAM no
|
||||
X11Forwarding no
|
||||
ForceCommand systemd-tty-ask-password-agent
|
||||
Port {{ luks_ssh_port }}
|
||||
|
||||
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue